Corporate leaders underestimate security risk from SAP software, survey finds
Corporate leaders significantly underestimate the risk of data breaches through SAP software, according to a survey of 600 IT and IT security pros by the Ponemon Institute and Onapsis.
Seventy-six percent of respondents said their senior leadership understands the importance and criticality of SAP installations to profitability, but only 21 percent of respondents said their leaders recognize SAP cybersecurity risks.
"We see that a lot in our studies. People who are non-IT C-level executives, such as the chief operating officer or chief marketing officer, are not tuned into security. You would think they would be given the rash of data security issues that happen on a daily basis," Larry Ponemon, chairman of the Ponemon Institute, told FierceITSecurity.
More than half of the companies surveyed, 56 percent, believe it is likely their company would have a data breach due to insecure SAP applications.
This same group indicates their company's SAP platform has been breached an average of two times in the past 24 months.
Ponemon said that there is a lot of passing the buck when it comes to SAP security. In fact, 54 percent of respondents said that security is the responsibility of SAP and not the customer. "We see that in other studies. When it comes to who is responsible for security, fingers are pointing in different directions. No one wants to take responsibility. Or even worse, they call it a 'shared' responsibility, which means that no one is responsible."
In an early study, Onapsis laid out three common attack vectors targeting SAP and Oracle enterprise software.
The three common attack vectors are customer data and credit card breaches using "pivoting" tactics; customer and supplier portal attacks using exploitable vulnerabilities; and data warehousing attacks using vulnerable gateways.
Misconfigured SAP systems could expose oil and gas control systems to hijacking
Security firm finds 3 vulnerabilities in SAP Mobile platform
Onapsis identifies 3 attack vectors targeting SAP, Oracle enterprise software